tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1073296 - in /tomcat/trunk: java/org/apache/catalina/realm/JNDIRealm.java webapps/docs/changelog.xml webapps/docs/config/realm.xml
Date Tue, 22 Feb 2011 11:08:43 GMT
Author: markt
Date: Tue Feb 22 11:08:42 2011
New Revision: 1073296

URL: http://svn.apache.org/viewvc?rev=1073296&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=19444
Add an option to the JNDI realm to allow role searches to be performed by the authenticated
user.

Modified:
    tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/realm.xml

Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java?rev=1073296&r1=1073295&r2=1073296&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java Tue Feb 22 11:08:42 2011
@@ -365,7 +365,14 @@ public class JNDIRealm extends RealmBase
      */
     protected boolean roleNested = false;
 
-
+    /**
+     * When searching for user roles, should the search be performed as the user
+     * currently being authenticated? If false, {@link #connectionName} and
+     * {@link #connectionPassword} will be used if specified, else an anonymous
+     * connection will be used. 
+     */
+    protected boolean roleSearchAsUser = false;
+    
     /**
      * An alternate URL, to which, we should connect if connectionURL fails.
      */
@@ -1692,8 +1699,18 @@ public class JNDIRealm extends RealmBase
         controls.setReturningAttributes(new String[] {roleName});
 
         // Perform the configured search and process the results
-        NamingEnumeration<SearchResult> results =
-            context.search(roleBase, filter, controls);
+        NamingEnumeration<SearchResult> results = null;
+        try {
+            if (roleSearchAsUser) {
+                userCredentialsAdd(context, dn, user.getPassword());
+            }
+            results = context.search(roleBase, filter, controls);
+        } finally {
+            if (roleSearchAsUser) {
+                userCredentialsRemove(context);
+            }
+        }
+
         if (results == null)
             return (list);  // Should never happen, but just in case ...
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1073296&r1=1073295&r2=1073296&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Feb 22 11:08:42 2011
@@ -45,6 +45,10 @@
 <section name="Tomcat 7.0.9 (markt)">
   <subsection name="Catalina">
     <changelog>
+      <add>
+        <bug>19444</bug>: Add an option to the JNDI realm to allow role searches
+        to be performed by the authenticated user. (markt)
+      </add>
       <fix>
         <bug>48863</bug>: Better logging when specifying an invalid directory
         for a class loader. Based on a patch by Ralf Hauser. (markt)

Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1073296&r1=1073295&r2=1073296&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Tue Feb 22 11:08:42 2011
@@ -412,6 +412,14 @@
         property.</p>
       </attribute>
 
+      <attribute name="roleSearchAsUser" required="false">
+        <p> When searching for user roles, should the search be performed as the
+        user currently being authenticated? If false,
+        <code>connectionName</code>} and <code>connectionPassword</code>
will be
+        used if specified, else an anonymous. If not specified, the default
+        value of <code>false</code> is used.</p>
+      </attribute>
+
       <attribute name="roleSubtree" required="false">
         <p>Set to <code>true</code> if you want to search the entire
         subtree of the element specified by the <code>roleBase</code>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message